[Today's post comes to us courtesy of Chris Puckett] When you attempt to install SBS 2008 UR 3 (969121) it may fail with error code 6BA "Windows Update encountered an unknown error".
The C:\Windows\WindowsUpdate.log file for this update reports error 0x80070643 / 0x000006BA.
Troubleshooting: One of the actions SBS2008 Update Rollup 3 (UR3) performs is to change the Integrated Windows authentication in the companyweb site from NTLM to Negotiate (Kerberos) while maintaining client integration to allow you to browse http://companyweb from the server after installing IE rollup 963027 or later, IE8 or Windows 2008 SP 2.
Check the C:\Windows\temp\EnableKerberosLog_2009_<date_time>.log file for more clues.
1. If you see text similar to the log below, it’s most likely that the zone has changed:
2009/09/04 13:35:45| Reading registry keys to get URL for SBS SharePoint 2009/09/04 13:35:45| Url found: https://remote.contoso.com:987 2009/09/04 13:35:45| Trying to enable Kerberos, as well as set other authentication configurations 2009/09/04 13:35:45| Backup original settings of site https://remote.contoso.com:987 2009/09/04 13:35:46| Webapplication found 2009/09/04 13:35:46| Webapplication is running in app pool with identity NetworkService 2009/09/04 13:35:46| Checking authenticaiton mode for Default zone 2009/09/04 13:35:46| Authentication provider is Kerberos 2009/09/04 13:35:46| Originally not allow anonymous 2009/09/04 13:35:46| Originally client integration enabled 2009/09/04 13:35:46| Originally not use basic authentication 2009/09/04 13:35:46| Original settings backup-ed. The machine is ready for authentication settings configuration 2009/09/04 13:35:46| Calling stsadm.exe to enable Kerberos with parameter "-o authentication -url https://remote.contoso.com:987 -type windows -enableclientintegration -usewindowsintegrated" 2009/09/04 13:35:47| Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException: Fail to enable Kerberos with exit code -1 at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.TryEnableKerberos() at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.Program.Main(String[] args) Check the zones in SharePoint Central Administration.
a. Open SharePoint 3.0 Central Administration, click the Operations tab, and then click Alternate access mappings (under Global Configuration).
b. If https://remote.contoso.com:987 and http://companyweb are not in the zones mentioned above, adjust them accordingly and try installing SBS 2008 Update Rollup 3 again.
Note: https://Remote.contoso.com:987 should be in the Default zone. If it is in the Internet zone, this can prevent SBS 2008 UR3 from changing the authentication mode on companyweb and resulting in the SBS 2008 UR3 installation failure.
2. If you see text similar to the log below, you may need to specify a domain prefix like remote or www along with the external domain name in the IAMW.
2009/09/03 15:55:34| Reading registry keys to get URL for SBS SharePoint 2009/09/03 15:55:34| Url found: https://.contoso.com:987 2009/09/03 15:55:34| Trying to enable Kerberos, as well as set other authentication configurations 2009/09/03 15:55:34| Backup original settings of site https://.contoso.com:987 2009/09/03 15:55:34| Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException: https://.contoso.com:987 is not in correct URI format ---> Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.KerberosConfigurationException: https://.contoso.com:987 is not in correct URI format ---> System.UriFormatException: Invalid URI: The hostname could not be parsed. at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.BackupOriginalSettings(String url) --- End of inner exception stack trace --- You have two options here.
Option 2 involves running the IAMW two times but may temporarily affect external Outlook and OWA clients from accessing email and RWW and SharePoint will temporarily not work with the contoso.com URL that users will be used to using because the certificate and URL will change from contoso.com to remote.contoso.com for example. Option 1 avoids this, but requires manual steps to perform. Choose one method.
Choose Option 1 or 2. It is not necessary to do both. Option 1: Manually edit the registry and SharePoint.
a. Open regedit and navigate to HKLM\Software\Microsoft\SmallBusinessServer\Networking.
b. Double-click PublicFQDNPrefix. Type remote and click OK.
c. Try installing SBS 2008 Update Rollup 3 again.
d. Open an elevated command prompt and change directories to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin.
e. Run this command: stsadm.exe -o authentication -url https://contoso.com:987 -type windows –enableclientintegration -usewindowsintegrated
f. The URL will be the value of PublicFQDNProvider in the registry key mentioned in step a. You can also get this command and URL from the EnableKerberos log file mentioned above. It will return Operation completed successfully if it completes successfully. If it fails with a syntax error try retyping the dashes. If it still fails with a syntax error try manually typing in the entire command.
g. Open regedit and navigate to HKLM\Software\Microsoft\SmallBusinessServer\Networking.
h. Double-click PublicFQDNPrefix. Delete the remote value and click OK.
Option 2: Re-run the IAMW to set the proper URL.
a. Open the Windows SBS Console. On the Home tab, click Set up your Internet address.
b. Specify your external domain name in the wizard like contoso.com (not contoso.local).
c. On that same page, click the Advanced settings link.
d. Uncheck the box ‘Do not use a domain prefix’. Set the domain prefix set to remote or whatever (this is temporary) and do not check the box ‘Do not use a domain prefix’.
e. Click OK and finish the wizard.
f. Try installing SBS 2008 Update Rollup 3 again.
g. Re-run IAMW. Click the Advanced settings link on the page where you type the domain name (contoso.com).
h. Check the box ‘Do not use a domain prefix’.
i. Click Yes, OK, Yes and finish the wizard.
3. If the only text you see in the log is like the example below, your companyweb site may be inaccessible for some reason.
2009/09/04 14:33:46| Reading registry keys to get URL for SBS SharePoint 2009/09/04 14:33:46| Url found: https://remote.contoso.com:987 2009/09/04 14:33:46| Trying to enable Kerberos, as well as set other authentication configurations 2009/09/04 14:33:46| Backup original settings of site https://remote.contoso.com:987 OR
2009/09/04 14:34:42| Rolling back to NTLM 2009/09/04 14:34:42| The install was not started. Nothing to rollback OR
2009/09/04 14:34:42| Kerberos Enabling fix is not installed. Do nothing this time SharePoint is inaccessible.
See this post for the details: http://blogs.technet.com/sbs/archive/2009/05/06/companyweb-inaccessible-after-sharepoint-3-0-service-pack-2.aspx
4. If you’ve made it to this point and it’s still not fixed, consider engaging Microsoft Support for assistance.
My issue may have just coincided by coincidence to installing the update rollup 3 for SBS 2008, but I was unable to access the OWA website after the update installed. Error messages from an external browser and the server follow below.
To resolve, I attempted to reinstall the Client Access Role which required reconfiguring the internet address and third party certificate. I also tried to fix by running the "fix my network wizard" and the "SBS 2008 BPA". I also enabled ASP.NET v1.1.4322 in the ISAPI and CGI Restrictions in IIS7.
This issue was resolved by emptying the contents of the following folder: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\owa
Error Messages
Server Error in '/owa' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed.
Details: To enable the details of this specific error message to be viewable on the local server machine, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "RemoteOnly". To enable the details to be viewable on remote machines, please set "mode" to "Off".
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="
Only"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<customErrors mode="On" defaultRedirect="mycustompage.htm"/>
and this message was in the event log:
Event code: 3008
Event message: A configuration error has occurred.
Event time: 9/10/2009 9:32:59 AM
Event time (UTC): 9/10/2009 2:32:59 PM
Event ID: b8482dca33d84ef6baab3ea89d8318c8
Event sequence: 1
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/3/ROOT/owa-4-128970667790767635
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\
Machine name: YOURSERVER
Process information:
Process ID: 5204
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: HttpException
Exception message: Could not load file or assembly 'Microsoft.Exchange.Clients.Owa, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG))
Request information:
Request URL: http://remote.yoursite.com/owa/auth/logon.aspx?url=http://remote.yoursite.com/owa/&reason=0
Request path: /owa/auth/logon.aspx
User host address: x.x.x.x
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 8
Is impersonating: False
Stack trace: at System.Web.Compilation.BuildManager.ReportTopLevelCompilationException()
at System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled()
at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters)
Custom event details:
- System
- Provider
[ Name] ASP.NET 2.0.50727.0
- EventID 1310
[ Qualifiers] 32768
Level 3
Task 3
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2009-09-10T14:32:59.000Z
EventRecordID 1627641
Channel Application
Computer YOURFQDN
Security
- EventData
3008
A configuration error has occurred.
9/10/2009 9:32:59 AM
9/10/2009 2:32:59 PM
b8482dca33d84ef6baab3ea89d8318c8
1
0
/LM/W3SVC/3/ROOT/owa-4-128970667790767635
Full
/owa
C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\
YOURSERVER
5204
w3wp.exe
NT AUTHORITY\SYSTEM
HttpException
Could not load file or assembly 'Microsoft.Exchange.Clients.Owa, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG))
http://remote.yoursite.com/owa/auth/logon.aspx?url=http://remote.yoursite.com/owa/&reason=0
/owa/auth/logon.aspx
192.168.168.1
False
8
at System.Web.Compilation.BuildManager.ReportTopLevelCompilationException() at System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled() at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters)
Do you plan to fix (for me, it will be a fix) the way the wizard for domain behave? I mean to have the possibility to choose 2 domains : the default exchange and the one for access from wan.
Option one worked a treat for me so many thanks and keep the good work